要求除了 RSS 提要之外的 Wordpress 博客的 httpauth 用户名和密码

Posted 2023-03-10

【中文标题】要求除了 RSS 提要之外的 Wordpress 博客的 httpauth 用户名和密码

【英文标题】：Requiring httpauth username and password for Wordpress blog except RSS feed

【发布时间】：2014-06-28 01:43:06

【问题描述】：

我正在尝试使用 httpauth 保护我的 wordpress 博客，但 RSS 提要除外。这在 apache 2.2 中对我有用，但我无法在 apache 2.4 中使用。

我的博客目录中有一个 .htaccess 文件，如下所示：

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /blog/
RewriteCond %REQUEST_FILENAME !-f
RewriteCond %REQUEST_FILENAME !-d
RewriteRule . /blog/index.php [L]
</IfModule>
# END WordPress

AuthUserFile .htpasswd
AuthGroupFile /dev/null
AuthName blog
AuthType Basic
SetEnvIf Request_URI ^.*/feed/$ allow_access
<RequireAny>
    Require env allow_access
    Require expr %REQUEST_URI =~ m#^.*/feed/$#
    Require ip 127.0.0.1
    Require valid-user
</RequireAny>

这确实要求我输入密码，这是应该的，但即使在以 /feed/ 结尾的 URI 上，它仍然要求输入密码，它不应该这样做。

我的理解是 RequireAny 块中的前两行中的任何一行都应该满足 RequireAny，因此不要求输入密码。

在 apache 2.2 中，这对我有用，与

allow from env=allow_access

我做错了什么？是否有其他或更好的方法来做到这一点？

更新：我为 mod_rewrite 和 mod_authz 添加了额外的日志记录。这给了我以下信息：

[Sat May 10 16:31:32.590983 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of Require env allow_access: granted
[Sat May 10 16:31:32.591570 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of <RequireAny>: granted
[Sat May 10 16:31:32.591694 2014] [rewrite:trace3] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] add path info postfix: /var/www/html/www.example.com/blog/feed -> /var/www/html/www.example.com/blog/feed/
[Sat May 10 16:31:32.591731 2014] [rewrite:trace3] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] strip per-dir prefix: /var/www/html/www.example.com/blog/feed/ -> feed/
[Sat May 10 16:31:32.591754 2014] [rewrite:trace3] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] applying pattern '.' to uri 'feed/'
[Sat May 10 16:31:32.591813 2014] [rewrite:trace2] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] rewrite 'feed/' -> '/blog/index.php'
[Sat May 10 16:31:32.591843 2014] [rewrite:trace2] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] trying to replace prefix /var/www/html/www.example.com/blog/ with /blog/
[Sat May 10 16:31:32.591866 2014] [rewrite:trace1] [pid 23422] mod_rewrite.c(475): [client 192.168.1.2:41194] 192.168.1.2 - - [www.example.com/sid#7fdd2871f880][rid#7fdd28c5f250/initial] [perdir /var/www/html/www.example.com/blog/] internal redirect with /blog/index.php [INTERNAL REDIRECT]
[Sat May 10 16:31:32.592086 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of Require env allow_access: denied
[Sat May 10 16:31:32.592122 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of Require expr %REQUEST_URI =~ m#^.*/feed/$#: denied
[Sat May 10 16:31:32.592141 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of Require ip 127.0.0.1: denied
[Sat May 10 16:31:32.592158 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Sat May 10 16:31:32.592175 2014] [authz_core:debug] [pid 23422] mod_authz_core.c(802): [client 192.168.1.2:41194] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

所以授权检查两次；重写之前和之后。问题是，rewrite 后 request_uri 显然不一样了。欢迎提出建议。

【参考方案1】：

我终于在这个Stack Exchange question找到了答案

使用url重写时，环境变量保存为REDIRECT_variable_name。

所以添加一行

    Require env REDIRECT_allow_access

<RequireAny> 块内为我解决了问题。